Require Developer Certificate of Origin in pull requests

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
new file mode 100644 (file)
index 0000000..caf4fba
--- /dev/null
+++ b/.github/workflows/dco.yml
@@ -0,0 +1,39 @@
+name: Test Developer Certificate of Origin
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Test Developer Certificate of Origin
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Determine branch name
+        run: |
+          BRANCH="${GITHUB_BASE_REF#refs/heads/}"
+          echo "Checking DCO for every commit on branch ${BRANCH}"
+          echo "BRANCH=${BRANCH}" >> ${GITHUB_ENV}
+      - name: Test DCO for every commit
+        run: |
+          RET=0
+          # this will not work properly if what we are testing is not a pull request
+          for commit in $(git rev-list HEAD ^origin/${BRANCH}); do
+            echo "=== Checking commit '${commit}'"
+            body="$(git show -s --format=%b ${commit})"
+            expected="$(git show -s --format='Signed-off-by: %aN <%aE>' ${commit})"
+            if echo "${body}" | grep -qF "${expected}"; then
+              echo "Signed-off-by matches author"
+            else
+              echo "Signed-off-by is missing or doesn't match author (should be '${expected}')"
+              RET=1
+            fi
+          done
+          exit ${RET}

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 138f38b80e92fe4039caff51965ed8bcaf8dc4b6..2bc3d04bc435ee111dda3d790b2c1a048de9751c 100644 (file)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -72,6 +72,23 @@ plus various other directories with `regression-tests.*` names.
 * The rest of the commit body should be wrapped at 72 characters (see [this](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) for more info)
 * If this commit fixes an issue, put "Closes #XXXX" in the message
 * Do not put whitespace fixes/cleanup and functionality changes in the same commit
+* Include a valid Signed-Off line as a [Developer Certificate of Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)
+
+# Developer Certificate of Origin
+
+We require a "Signed-Off" on all commits contributed to the PowerDNS codebase, as a [Developer Certificate of Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)
+
+If you have properly configured `user.name` and `user.email` in your `Git` configuration, `Git` includes a `-s` command line option to append this line automatically to your commit message:
+
+```sh
+git commit -s -m 'Commit message'
+```
+
+If you already committed your changes, you can do a `git rebase` to add a sign-off to existing commits. For example, if your branch is based on the `master` one:
+
+```sh
+git rebase --signoff master
+```
 
 # Formatting and Coding Guidelines